CWE-352— Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.— MITRE CWE catalog
8,856 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-352page 138 of 178
- CVE-2025-14853MEDIUMCVSS 4.3EG 4.32026-01-16
The LEAV Last Email Address Validator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions <= 1.7.1. This is due to missing or incorrect nonce validation on the display_settings_page function. This makes it possible…
- CVE-2025-14873MEDIUMCVSS 4.3EG 4.32026-02-14
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. This is due to the 'call_by_route_name' function in the rou…
- CVE-2025-14903MEDIUMCVSS 4.3EG 4.32026-01-24
The Simple Crypto Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2. This is due to missing nonce validation on the scs_backend function. This makes it possible for unauthen…
- CVE-2025-14904MEDIUMCVSS 4.3EG 4.32026-01-07
The Newsletter Email Subscribe plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4. This is due to incorrect nonce validation on the nels_settings_page function. This makes it possible for…
- CVE-2025-14906MEDIUMCVSS 4.3EG 4.32026-01-24
The WP Youtube Video Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce verification on the wpYTVideoGallerySettingSave() function. This makes it…
- CVE-2025-14907MEDIUMCVSS 4.3EG 4.32026-01-24
The Moderate Selected Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce verification on the msp_admin_page() function. This makes it possible for …
- CVE-2025-14976MEDIUMCVSS 5.4EG 5.42026-01-10
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and i…
- CVE-2025-14999MEDIUMCVSS 4.3EG 4.32026-01-07
The Latest Tabs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings update handler in admin-page.php. This makes i…
- CVE-2025-1506MEDIUMCVSS 4.3EG 4.32025-02-28
The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.0. This is due to missing or incorrect nonce validation on the counter_access_key_se…
- CVE-2025-1530MEDIUMCVSS 4.3EG 4.32025-03-15
The Tripetto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.0.9. This is due to missing nonce validation. This makes it possible for unauthenticated attackers to delete arbitrary re…
- CVE-2025-15376MEDIUMCVSS 4.3EG 4.32026-01-14
The Stopwords for comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the 'set_stopwords_for_comments' and 'delete_stopwords_for_co…
- CVE-2025-15377MEDIUMCVSS 4.3EG 4.32026-01-14
The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'admin_page_content' function. This makes it possible for u…
- CVE-2025-15405MEDIUMCVSS 4.3EG 4.32026-01-01
A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function. The manipulation results in cross-site request forgery. The attack may be launched remotely.
- CVE-2025-15550MEDIUMCVSS 5.3EG 5.32026-01-29
birkir prime <= 0.4.0.beta.0 contains a cross-site request forgery vulnerability in its GraphQL endpoint that allows attackers to exploit GET-based query requests. Attackers can craft malicious GET requests to trigger unauthorized actions …
- CVE-2025-1557MEDIUMCVSS 4.3EG 4.32025-02-22
A vulnerability, which was classified as problematic, was found in OFCMS 1.1.3. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been discl…
- CVE-2025-15635MEDIUMCVSS 4.3EG 4.32026-04-15
Cross-Site Request Forgery (CSRF) vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Cross Site Request Forgery.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0.
- CVE-2025-1643MEDIUMCVSS 4.3EG 4.32025-02-25
A vulnerability was found in Benner ModernaNet up to 1.1.0. It has been rated as problematic. This issue affects some unknown processing of the file /DadosPessoais/SG_AlterarSenha. The manipulation leads to cross-site request forgery. The …
- CVE-2025-1644MEDIUMCVSS 4.3EG 4.32025-02-25
A vulnerability classified as problematic has been found in Benner ModernaNet up to 1.2.0. Affected is an unknown function of the file /DadosPessoais/SG_Gravar. The manipulation of the argument idItAg leads to cross-site request forgery. I…
- CVE-2025-1687HIGHCVSS 8.8EG 8.82025-02-28
The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. This is due to missing nonce validation on the 'update_user_profile' function. This makes it possible for unauthenticate…
- CVE-2025-1745MEDIUMCVSS 4.3EG 4.32025-02-27
A vulnerability has been found in LinZhaoguan pb-cms 2.0 and classified as problematic. This vulnerability affects unknown code of the component Logout. The manipulation leads to cross-site request forgery. The attack can be initiated remo…
- CVE-2025-1762MEDIUMCVSS 4.3EG 4.32025-03-28
The Event Tickets with Ticket Scanner WordPress plugin before 2.5.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
- CVE-2025-1764HIGHCVSS 7.5EG 7.52025-03-14
The LoginPress | wp-login Custom Login Page Customizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.1. This is due to missing or incorrect nonce validation on the 'custom_plugin…
- CVE-2025-1798MEDIUMCVSS 6.1EG 6.12025-03-25
The does not sanitise and escape some parameters when outputting them back in a page, allowing unauthenticated users the ability to perform stored Cross-Site Scripting attacks.
- CVE-2025-1813MEDIUMCVSS 4.3EG 4.32025-03-02
A vulnerability classified as problematic was found in zj1983 zz up to 2024-08. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The expl…
- CVE-2025-1891MEDIUMCVSS 4.3EG 4.32025-03-04
A vulnerability was found in shishuocms 1.1 and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclos…
- CVE-2025-1926MEDIUMCVSS 4.3EG 4.32025-03-10
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.8. This is due to missing or incorrect nonce validation on the pagelay…
- CVE-2025-1927HIGHCVSS 7.1EG 7.12025-12-19
Cross-Site Request Forgery (CSRF) vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Cross Site Request Forgery. This issue affects Online Food Delivery System: through 19122025. NOTE: The vendor w…
- CVE-2025-20195MEDIUMCVSS 4.3EG 4.32025-05-07
A vulnerability in the web-based management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to perform a CSRF attack and execute commands on the CLI of an affected device. This vulnerability is due to…
- CVE-2025-20228MEDIUMCVSS 6.5EG 6.52025-03-26
In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.2.2403.108, and 9.1.2312.204, a low-privileged user that does not hold the "admin" or "power" Splunk roles could change the maintenance …
- CVE-2025-20321MEDIUMCVSS 6.5EG 6.52025-07-07
In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could chang…
- CVE-2025-20322MEDIUMCVSS 4.3EG 4.32025-07-07
In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that …
- CVE-2025-20326MEDIUMCVSS 4.3EG 8.82025-09-03
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) Software and Cisco Unified CM Session Management Edition (SME) Software could allow an unauthenticated, remote attacker to conduct a…
- CVE-2025-2042MEDIUMCVSS 4.3EG 4.32025-03-06
A vulnerability has been found in huang-yk student-manage 1.0 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit h…
- CVE-2025-2111HIGHCVSS 7.5EG 7.52025-04-19
The Insert Headers And Footers plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.1. This is due to missing or incorrect nonce validation on the 'custom_plugin_set_option' function. T…
- CVE-2025-21193MEDIUMCVSS 6.5EG 6.52025-01-14
Active Directory Federation Server Spoofing Vulnerability
- CVE-2025-21489MEDIUMCVSS 6.1EG 6.12025-01-21
Vulnerability in the Oracle Advanced Outbound Telephony product of Oracle E-Business Suite (component: Region Mapping). Supported versions that are affected are 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attac…
- CVE-2025-21507MEDIUMCVSS 5.4EG 5.42025-01-21
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows low privileged attacker with…
- CVE-2025-21513MEDIUMCVSS 6.1EG 6.12025-01-21
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows unauthenticated attacker wit…
- CVE-2025-21526MEDIUMCVSS 5.4EG 5.42025-01-21
Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction and Engineering (component: Web Access). Supported versions that are affected are 20.12.1.0-20.12.21.5, 21.12.1.0-21.12.20.0, 22.12.1…
- CVE-2025-21528MEDIUMCVSS 4.3EG 4.32025-01-21
Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction and Engineering (component: Web Access). Supported versions that are affected are 20.12.1.0-20.12.21.5, 21.12.1.0-21.12.20.0, 22.12.1…
- CVE-2025-21538MEDIUMCVSS 6.1EG 6.12025-01-21
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.2. Easily exploitable vulnerability allows unauthenticated attacker wit…
- CVE-2025-21550MEDIUMCVSS 6.1EG 6.12025-01-21
Vulnerability in the Oracle Financial Services Behavior Detection Platform product of Oracle Financial Services Applications (component: Web UI). Supported versions that are affected are 8.0.8.1, 8.1.2.7 and 8.1.2.8. Easily exploitable v…
- CVE-2025-21576MEDIUMCVSS 5.4EG 5.42025-04-15
Vulnerability in the Oracle Commerce Platform product of Oracle Commerce (component: Dynamo Personalization Server). Supported versions that are affected are 11.3.0, 11.3.1 and 11.3.2. Easily exploitable vulnerability allows low privileg…
- CVE-2025-2163MEDIUMCVSS 6.1EG 6.12025-03-15
The Zoorum Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the zoorum_set_options() function. This makes it possi…
- CVE-2025-2168MEDIUMCVSS 4.3EG 4.32025-05-01
The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and…
- CVE-2025-22297MEDIUMCVSS 4.3EG 4.32025-01-07
Cross-Site Request Forgery (CSRF) vulnerability in aipost AI WP Writer ai-wp-writer allows Cross Site Request Forgery.This issue affects AI WP Writer: from n/a through <= 3.8.4.4.
- CVE-2025-22300MEDIUMCVSS 5.4EG 5.42025-01-07
Cross-Site Request Forgery (CSRF) vulnerability in PixelYourSite PixelYourSite – Your smart PIXEL (TAG) Manager pixelyoursite allows Cross Site Request Forgery.This issue affects PixelYourSite – Your smart PIXEL (TAG) Manager: from n/a…
- CVE-2025-22301MEDIUMCVSS 5.4EG 5.42025-01-07
Cross-Site Request Forgery (CSRF) vulnerability in zookatron MyBookTable Bookstore mybooktable allows Cross Site Request Forgery.This issue affects MyBookTable Bookstore: from n/a through <= 3.5.3.
- CVE-2025-22325HIGHCVSS 7.1EG 7.12025-01-07
Cross-Site Request Forgery (CSRF) vulnerability in nchankov Autocompleter autocompleter allows Stored XSS.This issue affects Autocompleter: from n/a through <= 1.3.5.2.
- CVE-2025-22328HIGHCVSS 7.1EG 7.12025-01-07
Cross-Site Request Forgery (CSRF) vulnerability in Elevio by Dixa Elevio elevio allows Stored XSS.This issue affects Elevio: from n/a through <= 4.4.1.
Map vulnerabilities like CWE-352 to your infrastructure
EchelonGraph correlates every CVE — across CWE-352 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →